iOS Web Attack Surfaces That Can Crash and Restart Your iPhone

While Apple is busy in the last-minute preparations of iOS 12, a security researcher has shown a proof-of-concept webpage that uses CSS to crash and restart your iOS-running iPhone or iPad instantly. The same CSS-based hack reportedly also freezes a Safari window once you access it on a Mac. The 15-line Web code snippet that highlights the flaw in Apple’s operating system tries to use all the available resources on your iOS device. This causes a kernel panic on the hardware and ultimately brings a sudden restart. In July, ex-NSA security researcher Patrick Wardle spotted a bug that was crashing iOS devices on typing Taiwan in iMessage, Facebook, WhatsApp, or other apps, after receiving the Taiwanese flag emoji. The code pushing the denial of service bug was found to be existed in iOS 11.3, though Apple issued a fix with the iOS 11.4.1 update at a later stage.

Security researcher Sabri Haddouche on Saturday tweeted the URL featuring the proof-of-concept webpage that crashes iOS devices. Haddouche also posted the source code of the webpage on GitHub to detail the force restart flaw. While we were able to replicate the flaw and successfully force restart an iPhone 7 based on the latest iOS 11.4.1 and an iPhone 7 Plus based on the most recent iOS 12 beta, the security researcher says that it affects all the devices running iOS 9.0 and above.

The webpage is said to use all the available resources to cause a kernel panic on the system, causing the smartphone to power cycle off and on to prevent damage to the electronics. The code, based on HTML and CSS, contains numerous <div> tags. The CSS lines instruct the browser to apply a blur effect to the every <div> element on the page, overloading the WebKit renderer. This means you’ll experience similar results no matter whether you’re using Safari or Firefox on your iPhone or iPad.

Unlike some past iOS hacks that brought crashing cases through iMessage or other messaging apps, the latest case causes the sudden restart once you visit the specific webpage. This makes it less impactful. Also, it is worth noting here that the hack doesn’t involve any data loss – it just crashes the system by putting much load on it. As it is only 15 lines of code, it can be planted into seemingly innocent websites, or sent via text message.

Nonetheless, Haddouche said that “anything that renders HTML on iOS is affected” through the flaw, as quoted by TechCrunch. This means the link to the hack can be found on any social media apps such as Facebook and Twitter or could be given through an email or a WhatsApp message. Once you tap that link, your device will freeze for a second then restarts.

TechCrunch reports that Haddouche has already intimated Apple about the hack. It is, however, unclear whether the Cupertino giant will be able to fix the flaw in the upcoming iOS 12 update or through a new iOS 12 point release. Meanwhile, it is recommended to avoid tapping any unknown links on your iOS devices.